ADVERTISING 
ASSOCIATION 


Response to the ICO consultation on the draft direct marketing 
code of practice 


About the Advertising Association 


1. 


The Advertising Association promotes the role and rights of responsible advertising and its value 
to people, society, businesses and the economy. We bring together companies that advertise, their 
agencies, the media and relevant trade associations to seek consensus on the issues that affect 
them. We develop and communicate industry positions for politicians and opinion-formers, and 
publish industry research through advertising’s think-tank, Credos, including the Advertising Pays 
series which has quantified the advertising industry’s contribution to the economy, culture, jobs and 
society. 


Context 


2. 


The membership of the Advertising Association is very broad and includes the associations 
representing industry sectors, such as the advertisers (through ISBA), the agencies and advertising 
production houses (through the IPA and APA), all the media (broadcasters and publishers, cinema, 
radio, outdoor and digital) and marketing services such as direct marketing and promotions. 


Advertising is important. It plays a crucial role in brand competition, drives product innovation and 
fuels economic growth. It also provides revenues to fund a diverse and pluralistic media enjoyed by 
children and young people. 


Advertising is a driver of economic growth and competition. Every pound spent on advertising 
returns £6 to GDP. Advertising spend will be over £23.6 billion this year and this will result in over 
£142bn to GDP, supporting 1 million jobs across the UK. 


According to Deloitte research carried out on behalf of the Advertising Association, the one million 
jobs supported by advertising can be broken down as follows: 

= 350,000 jobs in advertising and the in-house (brands) production of advertising; 

= 76,000 jobs in the media sectors supported by revenue from advertising; 

= 560,000 jobs supported by the advertising industry across the wider economy. 


As reported in Advertising Pays: UK Advertising’s Digital Revolution’, advertising’s contribution to 
the economy topped £138 billion in 2018 in the UK. Online advertising accounted for 57% of that 
amount and is predicted to grow to a 62% market share by 2020. The ad-tech sector, which provides 
digital tools and services for the advertising industry, comprises of more than 300 UK- 
headquartered companies, with over £1bn invested in this sphere since 2013. This UK is now the 
largest online advertising market in Europe and third in the world behind the US and China. 


Please contact [A (SEEING adassoc.org.uk) for further information on any of the 


points raised in this submission. 


Our response 


8. 


The AA welcomes the opportunity to respond to the ICO’s consultation on the draft direct marketing 
code of practice. Our general concern relates to the approach of the direct marketing code of 
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practice and that it does not take nuanced positions on the different channels of marketing. The 
ICO also appears to be taking the position that online behavioural advertising and some types of 
social media are classified as direct marketing. We would argue that these technologies target 
audiences rather than be directed to particular individuals. 


9. The purpose of PECR and this Code is to prevent people receiving unsolicited communications. 
However, the current drafting of the Code appears not to have considered the situation whereby 
users have signed up for an ads-based service. In other words, the user has signed up for a service 
knowingly that is free and supported by ads. Therefore, we would argue that the user has consented 
to receive ads and expects to see ads being delivered to them. These ads are not direct marketing 
and accordingly should not be regulated as such. 


10. We believe that there is a need for a distinction between: (1) processing which is covered by GDPR; 
and (2) direct marketing covered by PECR / ePrivacy. The ICO proposes a broad definition of ‘direct 
marketing purposes’, including the processing of personal data to send direct marketing 
communications and all processing activities which lead up to, enable or support sending those 
communications. Including all processing under PECR and GDPR in one single definition could 
lead to confusion and conflation between the two in terms of which legal bases are available to 
what form of processing. 


11. In our view the code is overly prescriptive in some areas and departs from risk-based principles 
that form the core of the GDPR. We think there needs to be a better balance between assessing 
risk and actual harm to consumer welfare. Furthermore, in our review of the Code we noted the 
following issues 


Sending direct marketing messages 


12. Although the Code correctly states that the ‘soft opt-in’ for electronic mail only applies to the 
commercial marketing of products and services and not to the ‘promotion of aims and ideals’, but 
we think this excludes charities unfairly and would impact their ability to fundraise and promote their 
activities. 


What is ‘solicited’ and ‘unsolicited’ marketing? 


13. The ICO’s definition of ‘unsolicited’ marketing could be confusing for industry. Within industry, the 
term unsolicited is usually synonymous with ‘cold’ marketing. Under the ICO’s definition, an 
individual could opt-in to receive future communications from a company on a new offer but would 
still be considered ‘unsolicited’. Although this is still considered lawful, it is confusing for marketers 
and is not consistent with how these terms are used in the industry. Most marketers would describe 
all communications for which someone had given their consent, whether it is for immediate or future 
communications, as solicited. 


How do we decide our lawful basis for direct marketing? 


14. Page 30 of the Code states that “if PECR requires consent, then processing personal data for 
electronic direct marketing purposes is unlawful under the GDPR without consent”. It goes on to 
say that “you cannot use legitimate interests to process data if unlawful under other legislation’. 
This suggests that obtaining consent to send marketing emails to customers would also need 
consent for any other processing related marketing. For example, any processing that also captures 
profiling or segmentation, according to this interpretation, would also require additional consent. 
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15. We do not agree that consent is the only legal basis that can be used. Consent is not required if 
the profiling does not have a legal or similarly significant impact, which most profiling for marketing 
purposes lack. Additionally, excessive consent requests could lead to consent fatigue. 


16. By tying direct marketing to one specific legal basis, the ICO unnecessarily restricts the legal bases 
available to the controller under the GDPR. And in doing so, the ICO does not consider the different 
contexts in which online advertisement can be shown to audiences. We would draw attention to 
recital 47 of the GDPR which explicitly states that fhe processing of personal data for direct 
marketing purposes may be regarded as carried out for a legitimate interest. 


17. Profiling allows marketers to deliver relevant advertising accurately to the consumer, whilst also 
reducing the wastage of irrelevant ads. If additional consent boxes are required alongside the usual 
consent box to send email marketing it would add complexity, not only to the consumer, but the 
underlying data structures in CRM. Individual consent responses would need to be recorded for 
each channel and campaign. This would affect CRM selections negatively, as well as the user 
experience. 


Good practice recommendation 


18. The ICO recommends consent for all direct marketing activities, whether PECR requires it or not. 
This would seem at odds to the advice on the ICO website “Consent is not the silver bullet for GDPR 
compliance” published in 20172. We believe trade associations have an important role in developing 
best practices to industry to help avoid confusion between the legal interpretation and what the 
regulator would find acceptable. 


19. Furthermore, the ICO recommends that data processors do not rely on consent collected by a third 
party given more than six months prior. This recommendation would be extremely onerous on 
industry. There are many reasons why a marketer might delay a marketing communication until the 
most relevant time for the consumer. If a consumer recently made a significant purchase, for 
example a new car, they would be unlikely to want to receive further communications immediately 
after. Again, this risks consumer consent fatigue, and undermines the value of consent. 


What do we need to tell people if we collect their data from other sources? 


20. We support the principle of increased transparency, particularly in how companies collect and 
process personal data. However, the data collected by companies is often used to create more 
accurate and relevant communications, which in turn produce better business decisions. As long 
as communications to prospects or customers informs them about the data sources and provides 
an opportunity to opt-out, it provides sufficient transparency without a separate message from the 
list owner. Until now, companies that collect data from sources, even such as Companies House, 
have often relied upon the ‘disproportionate effort’ exemption to help cope with the challenges to 
their business. The data subject may not be suitable for a specific campaign and companies do not 
want to bombard customers with communications. In addition to this, many large direct mail 
campaigns are not completed within a month. 


21. This leads to two implications. Firstly, if the data is used for internal processes only such as data 
hygiene, and not as a mailing list, it should be regarded as legitimate interest. 
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22. Secondly, the ICO’s guidance states it is unlikely that companies are able to rely on the 
‘disproportionate effort’ exemption. We find this problematic for two reasons: (1) Neither the GDPR 
or the EDPB guidance on transparency refers to what sectors this exemption can or cannot apply 
to. Instead it requires companies to perform a balancing test and document the reasons why it was 
not possible to inform the data subject and the measures to protect the data subject’s rights; (2) if 
the exemption is removed, this has a potentially huge economic impact on data services companies 
that aggregate data from various sources, including public sources, and then resell this data. If it is 
no longer a viable business, it would have a knock-on effect to all the companies that use this data 
for customer acquisition campaigns or use the various data products. 


In-app messaging 


23. The code explains that the PECR rules apply to specific types of electronic communication, 
including in-app messages, and that in-app messages are “electronic mail” as defined in Regulation 
2 of PECR. We would welcome an explanation as to why in-app messages fall within the definition, 
and some examples of in-app messages intended to be included within the definition. 


Can we use third parties to send our direct marketing? 


24. Page 82 of the Code paraphrases PECR to suggest that it applies to the ‘sender’, ‘caller’ or 
‘instigator’. Under this wording, we are not clear whether email service providers (ESPs) would be 
captured under this definition, as they are the ones “physically” sending the email. Furthermore, 
emails can be automated and scheduled through systems such as Mailchimp and Dotmailer. There 
is potential scope creep which would have a devastating impact on businesses. 


25. Many publishers use hosted emails to offer relevant advertising to their subscribers or customers. 
We believe that a relevant offer supplied to a first party audience should be allowed when there is 
a first party relationship with the hosted email provider. There are many businesses that use this 
as a business model, sending offers they source to those who have opted-in. 


26. Referral marketing is a legitimate form of marketing. Large and small business rely on referrals, 
which can at a basic level include word of mouth. A large percentage of brands are built around or 
use a form of referral marketing. Moreover, the Code is not entirely clear whether the definition of 
‘instigator covers direct marketing messages that include incentives. If it does, then this would have 
a disproportionate effect on consumer welfare because it is not allowing customers to receive 
information about offers or discounts, or information about alternative services or products. This 
would affect competition and for new entrants to enter the market. 


Is all online advertising covered by the direct marketing rules? 


27. On page 86, the ICO reaffirms its view that all cookies, except for the ones described in Regulation 
6 of PECR, require consent. We wish to highlight the diverging views on cookies across several 
European DPAs which adds to general confusion for industry. 


[France ë O eoma ë feen 


Do Not always. Yes. There is no exception. | No, unless they Yes 
analytic Certain analytic Though ICO states that itis | lead to a transfer of 
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cookies cookies can be “unlikely that priority for any | personal data to a 

require exempted from formal action would be third party. Even in 

consent? | prior consent given to uses of cookies that case, likely no 
requirements if where there is a low level of | consent would be 
they meet a list of | intrusiveness and low risk necessary if users 


cumulative of harm to individuals,” and | can easily opt out 
requirements first-party analytics cookies | from the data 
provided by the are given as an example of | transfer to the third 
CNIL. cookies that are potentially | party. 

low risk. 


Source: IAPP https://iapp.org/media/pdi/resource_center/CNIL_ICO_chart.pdf 


How does direct marketing using social media work? 


28. AA members are concerned that on page 90, in relation to list-based processing, the ICO’s draft 
Code suggests that “it is likely that consent is the appropriate lawful basis for this processing as it 
is difficult to see how it would meet the three-part test of the legitimate interests basis”. It is unhelpful 
that the draft Code does not clarify why list-based processing would not meet the three-part test if 
organisations rely on legitimate interests to conduct this type of direct marketing activity. We think 
that as long as an organisation meets the transparency requirements regarding list-based 
marketing and allows for users to opt-out from direct marketing, the use of legitimate interests 
should be permitted by the Code. 


Can we offer data brokering services? 


29. This reference states consent should be used as the legal basis for all direct marketing, which 
contradicts other advice from the draft code of practice implying legitimate interest could be used. 
This is out of date and needs to be reconsidered. 


4 March 2020 
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